Re: FreeRADIUS + OpenLDAP + NAS (it?s make me crazy!!! please HELP)
Thank you... now it works and success. but if my client disconnect and reconnect again, now it doesn't need to input user name and password again. It's directly connected .. Is it right??? - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it?s make me crazy!!! please HELP)
Not really. But Windows XP caches credentials: http://support.microsoft.com/kb/823731 Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Koko Kurniawan [EMAIL PROTECTED] piše: Thank you... now it works and success. but if my client disconnect and reconnect again, now it doesn't need to input user name and password again. It's directly connected .. Is it right??? - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + OpenLDAP + NAS (it�s make me crazy!!!please HELP!!!)
Please, help me.. I am confuse why my freeradius server can´t detect the password that i write on the client? I am use OpenLDAP for the database rad_recv: Access-Request packet from host 10.10.53.100:1812, id=76, length=83 User-Name = htrisnadi Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000e0168747269736e616469 NAS-IP-Address = 10.10.53.100 Message-Authenticator = 0x4e8851c2f8e7f31d426d4a853af3ef1d ... auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 1 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 1 modcall: leaving group LDAP (returns invalid) for request 1 auth: Failed to validate the user. Login incorrect: [htrisnadi/no User-Password attribute] (from client liv1 port 0) There is no User-Password in there. Should i change the configuration? in which file? - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - Looking for last minute shopping deals? Find them fast with Yahoo! Search.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it´s make me crazy!!!please HELP!!!)
Koko Kurniawan wrote: why my freeradius server can´t detect the password that i write on the client? Because the password is NOT in the RADIUS packet. Go read it: no User-Password attribute. rad_recv: Access-Request packet from host 10.10.53.100:1812, id=76, length=83 User-Name = htrisnadi Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000e0168747269736e616469 EAP is an authentication protocol that does not send the password from the client to the server. auth: type LDAP You forced Auth-Type := LDAP. DO NOT DO THAT. Please explain WHY you are doing this, and WHERE in the documentation (or web pages) it said to do this. There is no User-Password in there. Should i change the configuration? in which file? Do NOT set Auth-Type. If LDAP has a clear-text password available for the user, FreeRADIUS will figure out how to authenticate the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it�s make me crazy!!! please HELP!!!)
thanks for the answer,
i want ask something
what do you mean about the password is NOT in the RADIUS packet??
so where is the user-password??
i have removed Auth-Type := LDAP in users..
it´s still not working. what must i do?
LDAP doesn´t know EAP, so what kind of authentication i must use.
can you give me suggestion the ideal configuration for my FreeRADIUS + OpenLDAP
so that the authentication be performed successfully.
i will show you my freeradius log, and i hope you will correct that
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file:
/etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radius
main: group = radius
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay =
5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module:
Loaded PAP
pap: encryption_scheme = crypt
pap: auto_header = no
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded Pam
pam: pam_auth = radiusd
Module: Instantiated pam (pam)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = localhost
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity =
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password =
ldap: basedn = dc=aiueo,dc=com
ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = {CRYPT}
ldap: password_attribute = userPassword
ldap: access_attr = (null)
ldap: groupname_attribute = cn
ldap: groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /etc/raddb/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap:
compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
Re: FreeRADIUS + OpenLDAP + NAS (it´s make me crazy!!! please HELP!!!)
thanks for the answer, i want ask something what do you mean about the password is NOT in the RADIUS packet?? so where is the user-password?? Most protocols don't work on password matching but on challenge-response. i have removed Auth-Type := LDAP in users.. it´s still not working. what must i do? So where is the debug? LDAP doesn´t know EAP, so what kind of authentication i must use. Donćt force anzthing. Server will figure it out. can you give me suggestion the ideal configuration for my FreeRADIUS + OpenLDAP so that the authentication be performed successfully. Configuration looks fine. Debug of the request will tell more. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it´s make me crazy!!! please HELP!!!)
Koko Kurniawan wrote: thanks for the answer, i want ask something what do you mean about the password is NOT in the RADIUS packet?? I mean it's not. so where is the user-password?? Some authentication protocols do not require exchanging the password. CHAP, MS-CHAP, and EAP all work this way. i have removed Auth-Type := LDAP in users.. it´s still not working. what must i do? Post the debug log, as suggested in the FAQ, README, INSTALL, etc. LDAP doesn´t know EAP, so what kind of authentication i must use. We know that LDAP doesn't do EAP. This isn't news. can you give me suggestion the ideal configuration for my FreeRADIUS + OpenLDAP so that the authentication be performed successfully. Configure LDAP EAP. It's that easy. i will show you my freeradius log, and i hope you will correct that You didn't show the server receiving any authentication packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
